Support iam policy member of domain type in iam scanner's required mode, #1093
Conversation
Codecov Report
@@ Coverage Diff @@
## dev #1093 +/- ##
=========================================
+ Coverage 83.29% 83.3% +0.01%
=========================================
Files 163 163
Lines 7829 7837 +8
=========================================
+ Hits 6521 6529 +8
Misses 1308 1308
|
blueandgold
changed the title
| rules_engine.rule_book.org_res_rel_dao = mock.MagicMock() | ||
| find_ancestor_mock = mock.MagicMock( | ||
| side_effect=[[self.org789]]) | ||
| rules_engine.rule_book.org_res_rel_dao.find_ancestors = \ |
There was a problem hiding this comment.
Backslashes should not be used for line continuation. So, do it like this:
rules_engine.rule_book.org_res_rel_dao.find_ancestors = (
find_ancestor_mock)
| actual_violations = set(rules_engine.find_policy_violations( | ||
| self.project1, policy)) | ||
|
|
||
| # expected |
There was a problem hiding this comment.
We should drop this comment as the variable's name is already self-documenting.
| self.assertEqual(expected_violations, actual_violations) | ||
|
|
||
| def test_policy_all_projects_must_have_owners_from_wildcard_domain(self): | ||
| """Test a policy where the owner belongs to the required domain and the |
There was a problem hiding this comment.
This is a very good method doc, but the summary needs to be 1 line. So, let's break this up to something like this:
"""Test a policy where the owner belongs to wildcard domain.
Test a policy where the owner belongs to the required domain and the
domain is specified as a wildcard user ('members': ['user:*@xyz.edu'])
"""
| rules_engine.rule_book.org_res_rel_dao = mock.MagicMock() | ||
| find_ancestor_mock = mock.MagicMock( | ||
| side_effect=[[self.org789]]) | ||
| rules_engine.rule_book.org_res_rel_dao.find_ancestors = \ |
There was a problem hiding this comment.
ditto on backslash continution
| policy = { | ||
| 'bindings': [{ | ||
| 'role': 'roles/owner', | ||
| 'members': ['user:def@xyz.edu'] |
There was a problem hiding this comment.
Can you please add a second test case for a non-xyz domain? user:def@abc.edu So, that we know for sure if there is a violation, it will be triggered?
| @@ -288,6 +288,28 @@ def create_from(cls, member): | |||
| member_name = identity_parts[1] | |||
| return cls(identity_parts[0], member_name=member_name) | |||
|
|
|||
| def _user_is_in_domain(self, other): | |||
There was a problem hiding this comment.
This naming should follow boolean naming convention, and might better as: is_matching_domain()
| @@ -288,6 +288,28 @@ def create_from(cls, member): | |||
| member_name = identity_parts[1] | |||
| return cls(identity_parts[0], member_name=member_name) | |||
|
|
|||
| def _user_is_in_domain(self, other): | |||
| """Determine whether user belongs to domain. | |||
There was a problem hiding this comment.
Technically, not a user. But more clear as IAM policy member. So:
"""Determine whether IAM policy member belongs to domain.
| specification and the policy to check specifies users. | ||
|
|
||
| Args: | ||
| other (IamPolicyMember): The policy binding to check. |
There was a problem hiding this comment.
Please clarify this, by adding member like:
other (IamPolicyMember): The policy binding member to check.
| @@ -1405,6 +1403,87 @@ def test_project_required(self): | |||
| ]) | |||
| self.assertItemsEqual(expected_violations, actual_violations) | |||
|
|
|||
| def test_policy_all_projects_must_have_owners_from_domain(self): | |||
There was a problem hiding this comment.
Please clarify this method name, to show that it's using the domain member type. So, a good name would be:
test_policy_all_projects_must_have_owners_from_domain_type
|
|
||
| self.assertEqual(expected_violations, actual_violations) | ||
|
|
||
| def test_policy_all_projects_must_have_owners_from_wildcard_domain(self): |
There was a problem hiding this comment.
Please clarify this method name, to show that it's using the wildcard domain from user type. So, a good name would be:
test_policy_all_projects_must_have_owners_from_wildcard_domain_of_user_type
|
@blueandgold -- addressed your review comments, please take a look. Thanks! |
|
@blueandgold not sure about whitelist / blacklist mode .. maybe we can open a separate issue for that? |
|
@blueandgold once this PR lands, I will port the changes to |
* ported code to 2.0-dev based branch * fix tests
Hello there!
This fixes issue #799. Please take a look and let me know what you think. Thanks!